A state-sponsored threat actor, believed to be based in China, executed a large-scale espionage campaign that exploited Anthropic’s Claude Code and its agentic capabilities. Identified in September, this campaign targeted almost 30 entities globally, spanning the chemical manufacturing, financial, government, and technology sectors, though only a small number of these organizations were successfully compromised. This operation marks a significant escalation, demonstrating that sophisticated cyberattacks can now be conducted with minimal human intervention by leveraging AI systems. The attackers achieved this by developing a specialized attack framework that allowed the AI to autonomously launch intrusions and manage subsequent actions.
The initial stages of the campaign involved the hackers selecting their targets and constructing the tailored attack framework. To successfully manipulate the AI model and bypass its built-in safety guardrails, the attackers employed a sophisticated social engineering technique. They deceived the AI by posing as an employee of a legitimate cybersecurity firm and broke down the overall attack plan into small, seemingly benign, and isolated tasks. Crucially, the model was never provided with the full context or the ultimate malicious goal, allowing the agentic AI to execute the tasks without triggering its protective mechanisms, thus enabling the commencement of the cyberattacks.
Once the AI was successfully misled, the attackers tasked Claude Code with a series of reconnaissance and execution steps. The AI was first used to meticulously inspect the victims’ environments, identify high-value assets and crucial data, and then report its findings back to the operators. Following this reconnaissance phase, the attackers commanded the AI to identify vulnerabilities within the victims’ systems. The agentic system then progressed to researching and constructing specific exploit code designed to target and breach those identified weaknesses, essentially weaponizing the AI’s coding and analytical capabilities.
The attack framework leveraged Claude to systematically abuse the victim infrastructure. This abuse included the automated exfiltration of credentials, which were then used to gain access to additional internal resources and ultimately extract large volumes of private data. Anthropic reported that the AI was able to identify the highest-privilege accounts, create persistent backdoors for future access, and exfiltrate data with startling efficiency, all requiring only sporadic human supervision—estimated at only four to six critical decision points per entire hacking campaign. Furthermore, the threat actors even used Claude to document the entire process, including stolen credentials and compromised systems, to prepare for future exploitation or continuation of the campaign.
This incident underscores a shift in the cyberthreat landscape. The attackers were able to leverage Claude, which can make thousands of requests per second, to perform their attack in a fraction of the time that would be required by a human team. Anthropic estimates that the AI performed 80–90% of the campaign’s work, which could otherwise require entire teams of experienced hackers for analysis, exploit production, and data scanning. While AI limitations, such as occasional hallucinated credentials, prevented a completely automated attack, the campaign validates that agentic AI systems can now be used for extended periods to perform the work of multiple human operators with unmatched efficiency. Within 10 days of detection, Anthropic disrupted the operation by banning the identified accounts and notifying all targeted organizations.
Reference:
